Data Protection

1. Introduction

At Livanu Inc. ("Livanu", "we", "us", or "our"), we are committed to protecting the data you entrust to us. This Data Protection Policy outlines our comprehensive approach to safeguarding your personal and health information, the security measures we implement, and your rights regarding your data.

This policy applies to all data collected through our website, mobile application, and health monitoring devices (collectively, the "Services").

2. Our Data Protection Principles

Our approach to data protection is guided by the following core principles:

• Lawfulness, Fairness, and Transparency: We process your data lawfully, fairly, and in a transparent manner.
• Purpose Limitation: We collect data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
• Data Minimization: We limit data collection to what is necessary for the purposes for which it is processed.
• Accuracy: We take reasonable steps to ensure your data is accurate and kept up to date.
• Storage Limitation: We retain data only for as long as necessary for the purposes for which it is processed.
• Integrity and Confidentiality: We process data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
• Accountability: We are responsible for and can demonstrate compliance with data protection principles.

3. Data Security Measures

We implement robust technical and organizational measures to protect your data. Our comprehensive security framework includes:

3.1 Technical Security Measures

• Encryption: We use industry-standard encryption protocols (TLS/SSL) for data in transit and AES-256 encryption for sensitive data at rest.
• Access Controls: We implement strict role-based access controls to ensure only authorized personnel can access your data.
• Multi-Factor Authentication: We require multi-factor authentication for administrative access to systems containing user data.
• Firewalls and Intrusion Detection: We deploy advanced firewalls and intrusion detection systems to prevent unauthorized access.
• Regular Security Updates: We maintain regular security patches and updates for all systems and applications.
• Secure Development: We follow secure coding practices and conduct regular security code reviews.
• Data Backups: We perform regular encrypted backups to prevent data loss.

3.2 Organizational Security Measures

• Security Training: All employees undergo regular data protection and security awareness training.
• Data Protection Officer: We have appointed a dedicated Data Protection Officer to oversee our data protection strategy.
• Security Policies: We maintain comprehensive information security policies and procedures.
• Third-Party Assessments: We conduct regular security assessments and audits by independent third parties.
• Incident Response Plan: We have a documented incident response plan to address potential data breaches promptly.
• Vendor Management: We carefully select and monitor third-party service providers who may process your data.

3.3 Physical Security Measures

• Secure Data Centers: Our infrastructure is hosted in SOC 2 compliant data centers with 24/7 monitoring, biometric access controls, and environmental protections.
• Office Security: Our offices implement physical access controls, surveillance systems, and secure document disposal.
• Device Management: We enforce encryption and security policies on all company devices that may access user data.

4. Health Data Protection

We understand the sensitive nature of health data and implement additional protections for this information:

• Segregated Storage: Health data is stored separately from other personal information with enhanced security controls.
• Anonymization and Pseudonymization: Where possible, we anonymize or pseudonymize health data for analytical purposes.
• Limited Access: Access to health data is strictly limited to personnel who require it to provide our services.
• Specialized Training: Staff handling health data receive specialized training on health data protection requirements.
• Compliance with Health Regulations: Our practices comply with relevant health data regulations in the jurisdictions where we operate.

5. Your Data Protection Rights

You have significant rights regarding your personal data. We are committed to honoring these rights and making it easy for you to exercise them:

5.1 Right to Access

You have the right to request copies of your personal data. We will provide this information in a structured, commonly used, and machine-readable format.

5.2 Right to Rectification

You have the right to request that we correct any information you believe is inaccurate or incomplete.

5.3 Right to Erasure (Right to be Forgotten)

You have the right to request that we erase your personal data, under certain conditions. This includes when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal ground for processing
• You object to the processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

5.4 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data, under certain conditions. We will continue to store your data but will not process it further unless:

• You consent to further processing
• Processing is necessary for legal claims
• Processing is necessary to protect another person's rights
• Processing is necessary for reasons of important public interest

5.5 Right to Data Portability

You have the right to request that we transfer your data to another organization or directly to you. We will provide this data in a structured, commonly used, and machine-readable format.

5.6 Right to Object

You have the right to object to our processing of your personal data, under certain conditions. This includes the right to:

• Object to processing based on legitimate interests or for direct marketing
• Object to processing for scientific/historical research or statistical purposes

5.7 Rights Related to Automated Decision Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

6. Data Breach Procedures

Despite our best efforts, data breaches can occur. In the event of a data breach that may affect your personal data, we will:

• Notify relevant supervisory authorities within 72 hours of becoming aware of the breach, where feasible
• Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• Provide information on the nature of the breach, likely consequences, and measures taken to address and mitigate effects
• Document all breaches, including facts, effects, and remedial actions taken

7. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when implementing new technologies or processing activities that may pose high risks to your privacy. These assessments help us:

• Identify and minimize data protection risks
• Assess the necessity and proportionality of processing
• Demonstrate compliance with data protection principles
• Implement appropriate technical and organizational measures

8. International Data Transfers

When we transfer your data outside your region, we ensure appropriate safeguards are in place:

• We use EU-approved Standard Contractual Clauses for transfers outside the EEA
• We verify that recipients provide adequate levels of data protection
• We implement additional technical measures to ensure secure transfers
• We limit transfers to what is necessary for providing our services

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. Our retention periods are determined based on:

• The amount, nature, and sensitivity of the personal data
• The potential risk of harm from unauthorized use or disclosure
• The purposes for which we process the data
• Whether we can achieve those purposes through other means
• Applicable legal, regulatory, or contractual requirements

When your data is no longer needed, we will securely delete or anonymize it so that it can no longer be associated with you.

10. Children's Data Protection

We take special precautions to protect children's data:

• Our Services are not intended for children under 16 years of age
• We do not knowingly collect personal data from children under 16
• If we discover we have collected data from a child under 16, we will delete it promptly
• Parents or guardians who believe we may have collected data from their child can contact our Data Protection Officer

11. Updates to This Policy

We may update this Data Protection Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending an email notification if we have your contact information
• Displaying a notice in our application

We encourage you to review this policy periodically to stay informed about our data protection practices.

12. Contact Our Data Protection Officer

If you have questions, concerns, or requests regarding your data or this Data Protection Policy, please contact our Data Protection Officer at:

If you are located in the European Economic Area and believe we are not handling your data in accordance with applicable law, you have the right to lodge a complaint with your local data protection authority.